February 28, 2025 • 22 mins
Welcome to the Security Chipmunks podcast where we talk about the development of cybersecurity skills. To stay up to date in today's world you need to be resilient, that’s why as Advanced Persistent Chipmunks we keep chipping away at it.
Step into the exhilarating world of cybersecurity competitions with our latest episode as we dive into the highs and lows of Capture The Flag (CTF) challenges at Wild West Hackin' Fest. Our team scored the coveted first-place title, but it wasn’t just about winning; it was an adventure filled with learning moments that every aspiring hacker should experience. From unforgettable team camaraderie to the rapid pace of competition, we share firsthand stories that showcase the thrills of testing skills against some of the best minds in the field.
We discuss the diverse types of challenges encountered, reflect on the importance of preparation, and emphasize how automation can streamline the competitive process. Whether you’re a seasoned pro or a novice intrigued by cybersecurity, our conversations serve as valuable insights into the CTF landscape. One key takeaway is the power of teamwork and collaboration, helping us troubleshoot and innovate amidst the pressure.
Join us as we not only celebrate our achievements but also provide valuable advice on how to get started in the world of CTFs. Don't let hesitation hold you back—embrace the excitement and dive into this immersive learning experience. Join us on this journey and expand your cybersecurity skills today! Remember to subscribe, rate, and share the episode with fellow cybersecurity enthusiasts!
Socials
- Join our Chipmunk community Discord server: https://discord.gg/9yfWP6evYQ
- Follow us on Twitter: https://twitter.com/SecChipmunk
- You can find us online at: https://securitychipmunks.com
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Audio track (00:00):
is from a cooperative project for
acquiring skills essential tolearning.
Edna Jonsson (00:05):
Welcome everyone to the Security Chipmunks
podcast.
Today we're going to be talkingabout getting started with
cyber CTFs in 2025.
And we have our hosts, ednaJohnson, neil Smalley and
Patrick, and our guest today isWheat Aaron Fillmore.
Aaron Fillmore (00:28):
All right, glad to be here.
Edna Jonsson (00:31):
Yeah, absolutely, thank you for joining.
So three of us went to WildWest Hackenfest earlier this
month, right?
Aaron Fillmore (00:43):
Oh yeah, it was way too much fun.
Edna Jonsson (00:46):
Oh my gosh, it was wild.
I had so much fun.
We did compete in a CTF I justwant to start off with that.
Right off the top, and we wereamazing.
Our team Shall we Play a Game?
Placed first.
We had double the points of theteam behind us and we went home
(01:08):
with this beautiful black badgefrom Wild West Hackenfest.
So our team got first place andwon that.
Aaron Fillmore (01:17):
Oh, we also got the.
I'm so glad I have this inarm's reach the trophy that is
anatomically correct, might Iadd, was not expecting that.
I won't show it, but I lookedat it, I looked behind.
I was like, okay, someone hadfun with that.
Edna Jonsson (01:35):
I did not look that closely.
Aaron Fillmore (01:39):
They're hidden a little bit.
I'll just send you a picturelater.
Edna Jonsson (01:43):
Yeah, thanks.
Oh, that's funny.
Yeah, so we competed in a CTF.
So what were some things thatwere lessons learned?
Aaron Fillmore (02:00):
Oh, man, a lot.
I learned that there's a lotthat uh, I don't know.
I mean, I obviously you knowthere's always that that aspect,
but um, it was kind of nuts,listen.
Um, you know some of the uh,other guys, you know derrick him
, him talking, I'm just likeholy crap, I can't keep up with
(02:21):
this, like this guy's next leveltalking about some stuff, and
I'm just like, yeah, holy crap,I can't keep up with this, like
this guy's next level talkingabout some stuff and I'm just
like, yeah, I think I can dothat sort of thing.
Edna Jonsson (02:29):
But yeah, it was an amazing opportunity.
Yeah, it was an amazingopportunity.
I'm really grateful that we hadsuch an amazing team Like Derek
and Jose and others areincredible CTF players and I
just felt so honored that likethey would include me on a team.
(02:51):
And and then you and Patrickjoined.
I was like this is like thedream team and I I was like
riding this high the entire time, like, oh my god, I'm
surrounded by incredible people.
I'm learning so much.
Yeah, and they were just youknow all these challenges and
like what do I do next?
And um, for me, like thedopamine just kept going so that
(03:16):
was fun oh yeah, yeah, it wasamazing.
Aaron Fillmore (03:20):
the uh, um, just just like that kind of high
tick rate, just like boom, boom,boom, boom, boom, like okay,
there's this, there's that, andit's oh crap I see this in the
logs Like there's a lot of flagscoming out, and then,
especially with the Nginx, it'slike, do we implement this?
It's like, let's do the math.
It can't mathematically win ifwe just don't roll dice with
(03:42):
taking down the entireinfrastructure.
Yeah, win if we just don't rolldice with taking down the
entire infrastructure.
Yeah, but it was, it was a lotof fun, like the experience of
trying to figure out how are wegoing to do this with, like nfx
and filtering things out andtrying to, you know, work it
down.
Um, yeah, it was.
it was a lot of uh, my brain wasa little mush after that, but
uh, well, worth it for surereally it's funny, like what,
(04:08):
what I really realized about thectf, because I will admit I am
really kind of like a newbie atthe attack defend style of ctfs,
right.
Um, I was really starting tosee how the power of automation
can be applied to the red teamside of the house, right, with
(04:30):
some of the code and theinfrastructure that was put up
by our team to automatically goout and grab flags and then
submit them and things like that.
And I was just sitting herethinking in my mind like now,
imagine doing that with likeknown bad vulnerabilities
against people's infrastructureand like this is just crazy how
(04:53):
you can do this you know, ohyeah, that was nuts.
How like we were sitting there.
It felt like it was 10 minutesin and someone's just like cool,
so I automated this exploithere.
I'm just like you what?
They're just already sittingthere ready to submit flags and
the Discord channel starts andflags start flying in left and
(05:15):
right and we're like whoa,that's nuts, yeah.
Edna Jonsson (05:20):
So the entire day before Thursday the five of them
were just like huddled togetherover computers.
I was trying to pay attentionto what was going on but it was
kind of going over my head a lotof it against those services
(05:44):
and how they can jump in andstart fixing things and patching
right away and examining whatscripts they could pre-prepare.
They had stuff ready that theydidn't use because it didn't
apply, but there was so muchpreparation that went into that.
Aaron Fillmore (06:04):
Like there was so much preparation that went
into that.
Yeah, it was.
I felt bad cause I wanted to beengaged more on that day before
but I was so focused on uh, um,what was it?
The?
Uh?
I think it was the extra flagsor whatever.
Um, on the website I was like Ihave to, or it was the uh other
, um, I was the the other theMAC address captures.
(06:24):
Like I have to figure out thelast couple or whatever, walking
around with the pineapple stiffMAC addresses.
Yeah, it was that little badge,ctf stuff.
The first time I'd ever done ahardware hacking badge challenge
like that.
It was a lot of fun.
I learned a lot.
Yeah, that's kind of like thegreat thing about um, like the
(06:47):
wild west hacking festcompetitions.
Uh, there's always likemultiple uh ctfs.
So, um, jason from uh red siege, he was doing uh vishing uh ctf
.
I'm not sure if you guys tookpart in that or not, uh, but it
was really interesting, did you?
Edna Jonsson (07:08):
it was really fun.
Aaron Fillmore (07:10):
It was so fun yeah and then, um, there was
also like the jeopardy style, uh, ctf, that took at place, right
, and didn't you do pretty goodin that, aaron?
yeah, yeah, I managed to take,uh, take second place and, oh
man, I I was sitting in uh, Ifelt bad so I wasn't paying
attention a couple of workshops,because as soon as that thing
(07:31):
opened up I was like boom,knocking things out and I was
sitting in first and thensuddenly bad wolf just comes in
halfway through, goes straightup and I was like who, where,
what?
I don't know if he's flaghoarding or what, but he passed
me and I'm like, oh, I'm notgetting that back, like the best
I could do is fight for second.
Yeah, it was a lot of fun tooyeah, that was amazing to see
(07:57):
that.
Edna Jonsson (07:58):
Uh, I think that was a high school student that
one.
Oh, for the badge one, yeah, ohyeah, no, I'm sorry, I meant
the jeopardy was it um bad wolf?
Aaron Fillmore (08:13):
I don't know if he's a high school student, if I
mean, if he is I know I'mgetting the ctfs confused.
I'm talking about the jeopardyone yeah, I know um the guy who
took first um ladder logics Ithink is is what he goes by.
Yeah, he was saying that hebasically took a week off of
high school to attend.
Edna Jonsson (08:32):
And.
Aaron Fillmore (08:32):
I was like that is freaking amazing.
I love that for him, that he'sable to not just take time out
of high school to go compete butto kick ass.
But to kick ass like him and Iwere sitting there battling and
they got.
They got pissed off at usbecause we were doing some of
the challenges that before theactual conference started and
they reset our scores and saidchill the hell out.
(08:53):
Apparently they sent him anangry DM and when I went and
asked about it they were likeyou can do the badge ones, the
infrastructure stuff that you'vefricking done, stop.
Edna Jonsson (09:04):
Yeah, yeah, nice.
So, other than like showing upand doing awesome at multiple
CTFs in one conference, how haveyou?
What has your learning journeywith CTFs been like?
How did you get started?
Aaron Fillmore (09:39):
So I, one of my favorite things I like to tell
people is that I was kind ofengaged in a multi-year CTF with
my father which, for context,so he was the program director
for the Marine Corps PKIinfrastructure implementation
for data centers.
So he was aware of the dangersof the internet and what was out
there.
Granted, my threat profile as afour-year-old um was not that
of the united states marinecorps.
However, you can imagine it'sprobably a little bit of overlap
there.
Um, so when we got our firstcomputer, um, you know, delt,
(10:03):
the gray dell, dark gray dell,the massive crt monitor, um, uh,
from from then on, he spent alot of time, you know, putting
technical and administrativecontrols, if you will, in place
to protect me from stuff, and Iwas like how about?
No, there we go, okay.
Edna Jonsson (10:25):
So you had an interesting way of learning,
yeah.
Aaron Fillmore (10:30):
Yeah, yeah, it was definitely um uh trial by
fire or or, I guess, um a lot oftrial and error.
I should say Um but, uh, I thinkone of the things that uh
really helped a lot too, and oneof the things that I like to
tell people to do is, um, youknow, get involved with like
communities and whatnot, uh withother people.
(10:50):
Uh, cause there's so much thatcan be learned from others.
Everyone has differentbackgrounds and experiences.
So, especially a team game likethat attack defense, ctf or
like NCL or whatnot especiallylike NCL, you get a good team of
different perspectives andexperiences.
Oh my gosh, you could do reallywell and we almost got so close
(11:14):
to that.
Um, that top five, uh, well,top, yeah, had I not I was
missing four letters, had I gotthose four letters, then I think
we would have been top four orfive for the ncl team game last
last fall.
But we're coming back to reclaimthat position, hopefully.
Edna Jonsson (11:32):
Yeah, well, I'm hopefully going to be on a team
with you, oh yeah.
Aaron Fillmore (11:37):
I'm going to cry .
I'm pretty sure you will be.
I would be shocked if youweren't.
Edna Jonsson (11:44):
Yeah, last year we did really well when we were on
a team together.
Aaron Fillmore (11:48):
Oh, yeah, yeah, because I think I was in Denver
again, ironically during theteam game and I felt bad because
I was like I can't participate.
But I was really thankful thatyou guys let me hop on.
I was glad I was able to getthat last web challenge.
I don't think we had a lot oftime left and I was like what if
?
And it just happened to be it.
Edna Jonsson (12:08):
I was like oh my gosh yeah that was amazing,
great time.
That was fun.
So what is your favorite CTFtype of challenge?
Aaron Fillmore (12:24):
Ooh, I'd probably have.
It's a toss between, I'd say,osint and forensics.
I like the challenges withOSINT, especially the CISA
Update 1 challenge that they hadin NCL.
Man, that was rough but it wasso satisfying when you got it.
(12:45):
The tree they had a picture ofa tree in a building.
They're like what's the ID forthis tree?
And everyone's like has PTSDstill from that.
Like what's the id for thistree?
And everyone's like has ptsdstill from that?
Um, but it's, it's somethingabout that like that end goal
sort of thing and justnavigating through the maze
until you get it and it's reallyaddicting, um, especially with
forensic challenges.
(13:06):
Uh, like memory dumps and allthat.
Um, I know a lot of peopledon't like them, which I I get,
because it can be kind ofcumbersome to work with,
especially like multi-gig memorydumps.
And thank God they're notgiving out like 16 gigabyte
memory dumps because those arereally painful.
But they're just, they're a lotof fun and admittedly, I'm sure
(13:27):
part of that is because thatforensics is kind of my
background, so I've gotexperience doing it.
But yeah, it's just, they're ablast.
I love those ones.
What about you guys?
What are y'all's favoritecategories?
Everyone's got to have afavorite, I'm sure.
Edna Jonsson (13:46):
I like crypto.
Those are fun Getting to figureout.
What is the cipher, what are wedeciphering here?
Those can be really challengingtoo oh yeah.
I also love OSINT.
That is so fun to find things.
I like going down the rabbitholes and all the pivots until
(14:11):
you oh, there it is.
There's the thing I've beenlooking for.
I found it.
I like going down the rabbitholes and all the pivots until
you're like, oh, there it is,there's the thing that I've been
looking for.
I found it, oh yeah.
How about you, Neil or Patrick?
Aaron Fillmore (14:25):
I'm a fan of a lot of the ones that I guess
they're the exploit categoryRight, ones that I guess like
they're the exploit categoryright.
So you know, some CTS will giveyou like a buffer overflow to
do or here's the source code youknow figure out how to do this
type of thing.
So that's always to me prettyrewarding once you're able to do
(14:52):
that and then get the flagsfrom it.
So, uh, that'd probably be mylike number one favorite thing
to do nice that's.
Those things are tough.
I I hate those ones.
I'll be honest, mainly becauseI'm bad at them.
Well, I'm not great at themeither, but I love the challenge
(15:14):
right.
It's like a secondary one willbe crypto right, because it's
the puzzle to it that I love.
Edna Jonsson (15:27):
Nice.
All right, Neil, what's yours?
Neil Smalley (15:32):
Miscellaneous just because you never know what
you're going to get.
Half the time, people don'tknow what category to put
challenges in, and so they endup under miscellaneous, and so
you can get all sorts ofdifferent ones under there.
I would have to say that andjust stuff I haven't come across
before.
(15:52):
So probably a lot of like thePwn stuff or what not.
I would have to say that andjust stuff I haven't come across
before, so probably a lot ofthe like the poem stuff or
whatnot.
I haven't necessarily done asmuch, but anything that forces
me to learn right.
So if I haven't done somethingit forces me to learn something
and that's all to the good in mybook.
Very cool.
I just love seeing thedifferent creative and
(16:13):
interesting things people comeup with or different uh things.
Oh, I will say one of the.
I guess it would fall undercrypto categories, but some of
my favorites have been the oneswhere it's like a white space
encoding or something like that,or like just spaces or white
space or various like Unicodestuff wrapped around everything
(16:37):
else yeah definitely has beeninteresting like those od level
challenges where he comes upwith something and you're like
what?
that's a little bit differentthan what I was talking about.
That's more oh gotcha od is inhis own category I felt bad.
Aaron Fillmore (17:01):
He sent me some challenges and he was like what
do you think about these?
I'm like I'm gonna be honest,dude, I don't know what I'm
looking at Like.
I genuinely just had nofreaking clue.
Neil Smalley (17:10):
I honestly felt like he would do better, like if
those challenges were like inone of the more serious ones
that prep you for DEF CON orsomething.
Honestly, oh yeah, the thedifference between going to no
(17:31):
offense, like the cyber info ctf, and then going to like I don't
know, like the plaid parliamentand poning uh, ctf is going to
be a world of difference and youjust kind of set your
expectations differently.
Aaron Fillmore (17:39):
so oh yeah, yeah , his, his challenge was like a
I'm pretty sure I rated it likevery hard or insane or something
like that, and tacked a lot ofpoints onto it, because I was
like I don't even know how tosolve this one man, so somebody
somebody with way moreexperience in cts than I have so
oh yeah and I mean like, if youlook at some of those, it's
(18:01):
pretty insane.
Neil Smalley (18:02):
Probably one of my favorite ones I've seen it, um,
I think it's like from an oldone, from a CTF, where they had
like a robot arm writing withlike the laser pointer that
wrote the flag out or somethinglike that.
So you'd like to decode theflag.
You had to like decode themovements of the robot arm, but
that was a fun one to read out.
That is so cool.
Aaron Fillmore (18:23):
Oh man, I got to find that now.
Edna Jonsson (18:26):
Nice, All right.
So for the final question ifyou were to start again today
and you knew nothing about CTFsand you were starting fresh,
where would you start learningto prepare for CTFs?
Aaron Fillmore (18:45):
Oh, I think for me personally and I know a lot
of people learn differently.
However, I'd say it, probably Ifeel like the vast majority of
people that are in this industryprobably learn in a similar
fashion by doing.
I think that that's probablywhere I would start is just dive
in, and I've seen a lot ofpeople be kind of averse to that
(19:09):
, where they they say, um, likeI don't, I don't think I'm there
yet, or I need to learn more,or this, that or the other, and
I'm like, well, how, what's,what is?
There's never going to be theright time, there's never going
to be a, a light switch thattrips in your head where you're
like I'm now at a point where Ican, you know, do a ctf, um it,
you just have to go do it, justhop in, try it, even if you
(19:32):
don't complete the challenge, ifyou learn something new, um,
that's ultimately what matters.
Like you know, there'sobviously the competitive aspect
, which is fun, um, but thebenefit is really learning
something new and takingsomething away, especially if
you can apply that practically,which there are plenty of
challenges where you can't.
You're not going to be decodingSSTV signals in a sock, and if
(19:56):
you are, maybe you're workingfor NASA or something like that,
I don't know, but just theprocess of figuring that out and
learning something new that'sbeneficial, just the process of
figuring that out and learningsomething new that's beneficial.
So I would, I think, if it was,I would try to, you know, like,
(20:20):
get on Pico, ctf or justwhatever the case may be.
Ask like, can I join someone?
And even I think it was eitheryesterday or today someone was
talking about how, um, uh, theywere messaging me about
something and, uh, they had seenthat our posts on LinkedIn
about wild west hack and fest.
And I'm like, yeah, I, it's fun, you know, living vicariously
(20:41):
through year or whatever.
And I was like, what do youmean?
And uh, he's like well, I don'tremember specifically what he
said, but the general sentimentwas that he's just not there yet
with ctfs.
And I was like I think you'rewrong.
If you can learn how to google,you can do a ctf, um and and
contribute on some level.
Like you don't have to besitting here swinging hammers
(21:01):
around and knocking outchallenges left and right.
Um, even just being there andhaving a different perspective,
uh, uh on something can be thething that completely changes a
challenge Like uh.
In a specific example with NCL,I was, uh, odie and I were
sitting there banging our headagainst the wall trying to
extract, um, something out of amemory dump and then someone was
(21:23):
like, well, someone else saidsomething about a key logger and
we went, okay, hold on anddumped out the memory of a
Python process and, sure enough,there were the key presses and
whatnot.
And had they not said that andthey're not a forensics person,
but it's just another thoughtand had they not said that, we
probably would have still beentrying to dump that crap out to
(21:44):
this day and not figured it out.
So I think that's a big thing,is just not, don't be afraid to
um, to ask or or to, uh, youknow, involve yourself, um,
which I know is a lot easiersaid than done.
Uh, I think there's probablyplenty of us in this industry
who find it hard to put yourselfout there and I'm definitely
(22:07):
one of them and go talk topeople and like, hey, can I join
you because I'm like, I don'twant to impose, but, uh, I think
there's a lot of benefit if youdo, and the right people, who
you do want to be around with,uh, who you do want to be around
, will have no problem helpingyou out and involving you in
some way.
Edna Jonsson (22:25):
Very nice, that's good advice.
Thank you, I try.
All right, this has been anepisode of Security Chipmunks,
remember as you're learning,just keep chipping away at it.
Thanks for listening in.
Make sure you like andsubscribe and we'll see you next
time.
is from a cooperative project for
acquiring skills essential tolearning.
Edna Jonsson (00:05):
Welcome everyone to the Security Chipmunks
podcast.
Today we're going to be talkingabout getting started with
cyber CTFs in 2025.
And we have our hosts, ednaJohnson, neil Smalley and
Patrick, and our guest today isWheat Aaron Fillmore.
Aaron Fillmore (00:28):
All right, glad to be here.
Edna Jonsson (00:31):
Yeah, absolutely, thank you for joining.
So three of us went to WildWest Hackenfest earlier this
month, right?
Aaron Fillmore (00:43):
Oh yeah, it was way too much fun.
Edna Jonsson (00:46):
Oh my gosh, it was wild.
I had so much fun.
We did compete in a CTF I justwant to start off with that.
Right off the top, and we wereamazing.
Our team Shall we Play a Game?
Placed first.
We had double the points of theteam behind us and we went home
(01:08):
with this beautiful black badgefrom Wild West Hackenfest.
So our team got first place andwon that.
Aaron Fillmore (01:17):
Oh, we also got the.
I'm so glad I have this inarm's reach the trophy that is
anatomically correct, might Iadd, was not expecting that.
I won't show it, but I lookedat it, I looked behind.
I was like, okay, someone hadfun with that.
Edna Jonsson (01:35):
I did not look that closely.
Aaron Fillmore (01:39):
They're hidden a little bit.
I'll just send you a picturelater.
Edna Jonsson (01:43):
Yeah, thanks.
Oh, that's funny.
Yeah, so we competed in a CTF.
So what were some things thatwere lessons learned?
Aaron Fillmore (02:00):
Oh, man, a lot.
I learned that there's a lotthat uh, I don't know.
I mean, I obviously you knowthere's always that that aspect,
but um, it was kind of nuts,listen.
Um, you know some of the uh,other guys, you know derrick him
, him talking, I'm just likeholy crap, I can't keep up with
(02:21):
this, like this guy's next leveltalking about some stuff, and
I'm just like, yeah, holy crap,I can't keep up with this, like
this guy's next level talkingabout some stuff and I'm just
like, yeah, I think I can dothat sort of thing.
Edna Jonsson (02:29):
But yeah, it was an amazing opportunity.
Yeah, it was an amazingopportunity.
I'm really grateful that we hadsuch an amazing team Like Derek
and Jose and others areincredible CTF players and I
just felt so honored that likethey would include me on a team.
(02:51):
And and then you and Patrickjoined.
I was like this is like thedream team and I I was like
riding this high the entire time, like, oh my god, I'm
surrounded by incredible people.
I'm learning so much.
Yeah, and they were just youknow all these challenges and
like what do I do next?
And um, for me, like thedopamine just kept going so that
(03:16):
was fun oh yeah, yeah, it wasamazing.
Aaron Fillmore (03:20):
the uh, um, just just like that kind of high
tick rate, just like boom, boom,boom, boom, boom, like okay,
there's this, there's that, andit's oh crap I see this in the
logs Like there's a lot of flagscoming out, and then,
especially with the Nginx, it'slike, do we implement this?
It's like, let's do the math.
It can't mathematically win ifwe just don't roll dice with
(03:42):
taking down the entireinfrastructure.
Yeah, win if we just don't rolldice with taking down the
entire infrastructure.
Yeah, but it was, it was a lotof fun, like the experience of
trying to figure out how are wegoing to do this with, like nfx
and filtering things out andtrying to, you know, work it
down.
Um, yeah, it was.
it was a lot of uh, my brain wasa little mush after that, but
uh, well, worth it for surereally it's funny, like what,
(04:08):
what I really realized about thectf, because I will admit I am
really kind of like a newbie atthe attack defend style of ctfs,
right.
Um, I was really starting tosee how the power of automation
can be applied to the red teamside of the house, right, with
(04:30):
some of the code and theinfrastructure that was put up
by our team to automatically goout and grab flags and then
submit them and things like that.
And I was just sitting herethinking in my mind like now,
imagine doing that with likeknown bad vulnerabilities
against people's infrastructureand like this is just crazy how
(04:53):
you can do this you know, ohyeah, that was nuts.
How like we were sitting there.
It felt like it was 10 minutesin and someone's just like cool,
so I automated this exploithere.
I'm just like you what?
They're just already sittingthere ready to submit flags and
the Discord channel starts andflags start flying in left and
(05:15):
right and we're like whoa,that's nuts, yeah.
Edna Jonsson (05:20):
So the entire day before Thursday the five of them
were just like huddled togetherover computers.
I was trying to pay attentionto what was going on but it was
kind of going over my head a lotof it against those services
(05:44):
and how they can jump in andstart fixing things and patching
right away and examining whatscripts they could pre-prepare.
They had stuff ready that theydidn't use because it didn't
apply, but there was so muchpreparation that went into that.
Aaron Fillmore (06:04):
Like there was so much preparation that went
into that.
Yeah, it was.
I felt bad cause I wanted to beengaged more on that day before
but I was so focused on uh, um,what was it?
The?
Uh?
I think it was the extra flagsor whatever.
Um, on the website I was like Ihave to, or it was the uh other
, um, I was the the other theMAC address captures.
(06:24):
Like I have to figure out thelast couple or whatever, walking
around with the pineapple stiffMAC addresses.
Yeah, it was that little badge,ctf stuff.
The first time I'd ever done ahardware hacking badge challenge
like that.
It was a lot of fun.
I learned a lot.
Yeah, that's kind of like thegreat thing about um, like the
(06:47):
wild west hacking festcompetitions.
Uh, there's always likemultiple uh ctfs.
So, um, jason from uh red siege, he was doing uh vishing uh ctf
.
I'm not sure if you guys tookpart in that or not, uh, but it
was really interesting, did you?
Edna Jonsson (07:08):
it was really fun.
Aaron Fillmore (07:10):
It was so fun yeah and then, um, there was
also like the jeopardy style, uh, ctf, that took at place, right
, and didn't you do pretty goodin that, aaron?
yeah, yeah, I managed to take,uh, take second place and, oh
man, I I was sitting in uh, Ifelt bad so I wasn't paying
attention a couple of workshops,because as soon as that thing
(07:31):
opened up I was like boom,knocking things out and I was
sitting in first and thensuddenly bad wolf just comes in
halfway through, goes straightup and I was like who, where,
what?
I don't know if he's flaghoarding or what, but he passed
me and I'm like, oh, I'm notgetting that back, like the best
I could do is fight for second.
Yeah, it was a lot of fun tooyeah, that was amazing to see
(07:57):
that.
Edna Jonsson (07:58):
Uh, I think that was a high school student that
one.
Oh, for the badge one, yeah, ohyeah, no, I'm sorry, I meant
the jeopardy was it um bad wolf?
Aaron Fillmore (08:13):
I don't know if he's a high school student, if I
mean, if he is I know I'mgetting the ctfs confused.
I'm talking about the jeopardyone yeah, I know um the guy who
took first um ladder logics Ithink is is what he goes by.
Yeah, he was saying that hebasically took a week off of
high school to attend.
Edna Jonsson (08:32):
And.
Aaron Fillmore (08:32):
I was like that is freaking amazing.
I love that for him, that he'sable to not just take time out
of high school to go compete butto kick ass.
But to kick ass like him and Iwere sitting there battling and
they got.
They got pissed off at usbecause we were doing some of
the challenges that before theactual conference started and
they reset our scores and saidchill the hell out.
(08:53):
Apparently they sent him anangry DM and when I went and
asked about it they were likeyou can do the badge ones, the
infrastructure stuff that you'vefricking done, stop.
Edna Jonsson (09:04):
Yeah, yeah, nice.
So, other than like showing upand doing awesome at multiple
CTFs in one conference, how haveyou?
What has your learning journeywith CTFs been like?
How did you get started?
Aaron Fillmore (09:39):
So I, one of my favorite things I like to tell
people is that I was kind ofengaged in a multi-year CTF with
my father which, for context,so he was the program director
for the Marine Corps PKIinfrastructure implementation
for data centers.
So he was aware of the dangersof the internet and what was out
there.
Granted, my threat profile as afour-year-old um was not that
of the united states marinecorps.
However, you can imagine it'sprobably a little bit of overlap
there.
Um, so when we got our firstcomputer, um, you know, delt,
(10:03):
the gray dell, dark gray dell,the massive crt monitor, um, uh,
from from then on, he spent alot of time, you know, putting
technical and administrativecontrols, if you will, in place
to protect me from stuff, and Iwas like how about?
No, there we go, okay.
Edna Jonsson (10:25):
So you had an interesting way of learning,
yeah.
Aaron Fillmore (10:30):
Yeah, yeah, it was definitely um uh trial by
fire or or, I guess, um a lot oftrial and error.
I should say Um but, uh, I thinkone of the things that uh
really helped a lot too, and oneof the things that I like to
tell people to do is, um, youknow, get involved with like
communities and whatnot, uh withother people.
(10:50):
Uh, cause there's so much thatcan be learned from others.
Everyone has differentbackgrounds and experiences.
So, especially a team game likethat attack defense, ctf or
like NCL or whatnot especiallylike NCL, you get a good team of
different perspectives andexperiences.
Oh my gosh, you could do reallywell and we almost got so close
(11:14):
to that.
Um, that top five, uh, well,top, yeah, had I not I was
missing four letters, had I gotthose four letters, then I think
we would have been top four orfive for the ncl team game last
last fall.
But we're coming back to reclaimthat position, hopefully.
Edna Jonsson (11:32):
Yeah, well, I'm hopefully going to be on a team
with you, oh yeah.
Aaron Fillmore (11:37):
I'm going to cry .
I'm pretty sure you will be.
I would be shocked if youweren't.
Edna Jonsson (11:44):
Yeah, last year we did really well when we were on
a team together.
Aaron Fillmore (11:48):
Oh, yeah, yeah, because I think I was in Denver
again, ironically during theteam game and I felt bad because
I was like I can't participate.
But I was really thankful thatyou guys let me hop on.
I was glad I was able to getthat last web challenge.
I don't think we had a lot oftime left and I was like what if
?
And it just happened to be it.
Edna Jonsson (12:08):
I was like oh my gosh yeah that was amazing,
great time.
That was fun.
So what is your favorite CTFtype of challenge?
Aaron Fillmore (12:24):
Ooh, I'd probably have.
It's a toss between, I'd say,osint and forensics.
I like the challenges withOSINT, especially the CISA
Update 1 challenge that they hadin NCL.
Man, that was rough but it wasso satisfying when you got it.
(12:45):
The tree they had a picture ofa tree in a building.
They're like what's the ID forthis tree?
And everyone's like has PTSDstill from that.
Like what's the id for thistree?
And everyone's like has ptsdstill from that?
Um, but it's, it's somethingabout that like that end goal
sort of thing and justnavigating through the maze
until you get it and it's reallyaddicting, um, especially with
forensic challenges.
(13:06):
Uh, like memory dumps and allthat.
Um, I know a lot of peopledon't like them, which I I get,
because it can be kind ofcumbersome to work with,
especially like multi-gig memorydumps.
And thank God they're notgiving out like 16 gigabyte
memory dumps because those arereally painful.
But they're just, they're a lotof fun and admittedly, I'm sure
(13:27):
part of that is because thatforensics is kind of my
background, so I've gotexperience doing it.
But yeah, it's just, they're ablast.
I love those ones.
What about you guys?
What are y'all's favoritecategories?
Everyone's got to have afavorite, I'm sure.
Edna Jonsson (13:46):
I like crypto.
Those are fun Getting to figureout.
What is the cipher, what are wedeciphering here?
Those can be really challengingtoo oh yeah.
I also love OSINT.
That is so fun to find things.
I like going down the rabbitholes and all the pivots until
(14:11):
you oh, there it is.
There's the thing I've beenlooking for.
I found it.
I like going down the rabbitholes and all the pivots until
you're like, oh, there it is,there's the thing that I've been
looking for.
I found it, oh yeah.
How about you, Neil or Patrick?
Aaron Fillmore (14:25):
I'm a fan of a lot of the ones that I guess
they're the exploit categoryRight, ones that I guess like
they're the exploit categoryright.
So you know, some CTS will giveyou like a buffer overflow to
do or here's the source code youknow figure out how to do this
type of thing.
So that's always to me prettyrewarding once you're able to do
(14:52):
that and then get the flagsfrom it.
So, uh, that'd probably be mylike number one favorite thing
to do nice that's.
Those things are tough.
I I hate those ones.
I'll be honest, mainly becauseI'm bad at them.
Well, I'm not great at themeither, but I love the challenge
(15:14):
right.
It's like a secondary one willbe crypto right, because it's
the puzzle to it that I love.
Edna Jonsson (15:27):
Nice.
All right, Neil, what's yours?
Neil Smalley (15:32):
Miscellaneous just because you never know what
you're going to get.
Half the time, people don'tknow what category to put
challenges in, and so they endup under miscellaneous, and so
you can get all sorts ofdifferent ones under there.
I would have to say that andjust stuff I haven't come across
before.
(15:52):
So probably a lot of like thePwn stuff or what not.
I would have to say that andjust stuff I haven't come across
before, so probably a lot ofthe like the poem stuff or
whatnot.
I haven't necessarily done asmuch, but anything that forces
me to learn right.
So if I haven't done somethingit forces me to learn something
and that's all to the good in mybook.
Very cool.
I just love seeing thedifferent creative and
(16:13):
interesting things people comeup with or different uh things.
Oh, I will say one of the.
I guess it would fall undercrypto categories, but some of
my favorites have been the oneswhere it's like a white space
encoding or something like that,or like just spaces or white
space or various like Unicodestuff wrapped around everything
(16:37):
else yeah definitely has beeninteresting like those od level
challenges where he comes upwith something and you're like
what?
that's a little bit differentthan what I was talking about.
That's more oh gotcha od is inhis own category I felt bad.
Aaron Fillmore (17:01):
He sent me some challenges and he was like what
do you think about these?
I'm like I'm gonna be honest,dude, I don't know what I'm
looking at Like.
I genuinely just had nofreaking clue.
Neil Smalley (17:10):
I honestly felt like he would do better, like if
those challenges were like inone of the more serious ones
that prep you for DEF CON orsomething.
Honestly, oh yeah, the thedifference between going to no
(17:31):
offense, like the cyber info ctf, and then going to like I don't
know, like the plaid parliamentand poning uh, ctf is going to
be a world of difference and youjust kind of set your
expectations differently.
Aaron Fillmore (17:39):
so oh yeah, yeah , his, his challenge was like a
I'm pretty sure I rated it likevery hard or insane or something
like that, and tacked a lot ofpoints onto it, because I was
like I don't even know how tosolve this one man, so somebody
somebody with way moreexperience in cts than I have so
oh yeah and I mean like, if youlook at some of those, it's
(18:01):
pretty insane.
Neil Smalley (18:02):
Probably one of my favorite ones I've seen it, um,
I think it's like from an oldone, from a CTF, where they had
like a robot arm writing withlike the laser pointer that
wrote the flag out or somethinglike that.
So you'd like to decode theflag.
You had to like decode themovements of the robot arm, but
that was a fun one to read out.
That is so cool.
Aaron Fillmore (18:23):
Oh man, I got to find that now.
Edna Jonsson (18:26):
Nice, All right.
So for the final question ifyou were to start again today
and you knew nothing about CTFsand you were starting fresh,
where would you start learningto prepare for CTFs?
Aaron Fillmore (18:45):
Oh, I think for me personally and I know a lot
of people learn differently.
However, I'd say it, probably Ifeel like the vast majority of
people that are in this industryprobably learn in a similar
fashion by doing.
I think that that's probablywhere I would start is just dive
in, and I've seen a lot ofpeople be kind of averse to that
(19:09):
, where they they say, um, likeI don't, I don't think I'm there
yet, or I need to learn more,or this, that or the other, and
I'm like, well, how, what's,what is?
There's never going to be theright time, there's never going
to be a, a light switch thattrips in your head where you're
like I'm now at a point where Ican, you know, do a ctf, um it,
you just have to go do it, justhop in, try it, even if you
(19:32):
don't complete the challenge, ifyou learn something new, um,
that's ultimately what matters.
Like you know, there'sobviously the competitive aspect
, which is fun, um, but thebenefit is really learning
something new and takingsomething away, especially if
you can apply that practically,which there are plenty of
challenges where you can't.
You're not going to be decodingSSTV signals in a sock, and if
(19:56):
you are, maybe you're workingfor NASA or something like that,
I don't know, but just theprocess of figuring that out and
learning something new that'sbeneficial, just the process of
figuring that out and learningsomething new that's beneficial.
So I would, I think, if it was,I would try to, you know, like,
(20:20):
get on Pico, ctf or justwhatever the case may be.
Ask like, can I join someone?
And even I think it was eitheryesterday or today someone was
talking about how, um, uh, theywere messaging me about
something and, uh, they had seenthat our posts on LinkedIn
about wild west hack and fest.
And I'm like, yeah, I, it's fun, you know, living vicariously
(20:41):
through year or whatever.
And I was like, what do youmean?
And uh, he's like well, I don'tremember specifically what he
said, but the general sentimentwas that he's just not there yet
with ctfs.
And I was like I think you'rewrong.
If you can learn how to google,you can do a ctf, um and and
contribute on some level.
Like you don't have to besitting here swinging hammers
(21:01):
around and knocking outchallenges left and right.
Um, even just being there andhaving a different perspective,
uh, uh on something can be thething that completely changes a
challenge Like uh.
In a specific example with NCL,I was, uh, odie and I were
sitting there banging our headagainst the wall trying to
extract, um, something out of amemory dump and then someone was
(21:23):
like, well, someone else saidsomething about a key logger and
we went, okay, hold on anddumped out the memory of a
Python process and, sure enough,there were the key presses and
whatnot.
And had they not said that andthey're not a forensics person,
but it's just another thoughtand had they not said that, we
probably would have still beentrying to dump that crap out to
(21:44):
this day and not figured it out.
So I think that's a big thing,is just not, don't be afraid to
um, to ask or or to, uh, youknow, involve yourself, um,
which I know is a lot easiersaid than done.
Uh, I think there's probablyplenty of us in this industry
who find it hard to put yourselfout there and I'm definitely
(22:07):
one of them and go talk topeople and like, hey, can I join
you because I'm like, I don'twant to impose, but, uh, I think
there's a lot of benefit if youdo, and the right people, who
you do want to be around with,uh, who you do want to be around
, will have no problem helpingyou out and involving you in
some way.
Edna Jonsson (22:25):
Very nice, that's good advice.
Thank you, I try.
All right, this has been anepisode of Security Chipmunks,
remember as you're learning,just keep chipping away at it.
Thanks for listening in.
Make sure you like andsubscribe and we'll see you next
time.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com